by vxk
My Root Kit Note
0. What the Root kit Real Mean For?
Root Kit is a kind of tools to hide itself or other files or process from normal users' eyes or take privileges for whom could control it...
1. Live With Hooks: Hook and Anti-Hook
To Hide Some Files or Process or Even Rebuild a Root kit’s Network may use hooking.
1.1 API HOOK
It's a long time this kind of hooking existed working with IAT or EAT or some time maybe inline. But it is very easy to defeat them, only to read and map a file in correct way then do right relocations, And then you would get real API address or the right code of API’s entry point.
1.2 SSDT HOOK
Sometimes when the API hook (base on pe-file structure) failed to defeat the hook-check, and some apiz wanted is non-exported, I got to SSDT way to hook, it is also a very long time since it turned to normal. And it is easy to find and fix too. One who can only read ntos kernel file and remap the SSDT could remove or check this kind of hooks.
1.3 IRP HOOK
|
PDriverObject->MajorFunction [MajorFunction] =XX XX XX XX ZZ=MajorFunction*4+0x38 C7 46 ZZ [<80] XX XX XX XX mov dword ptr [esi+50h], offset _FsdSetInformation@8 C7 86 ZZ[>=80] XX XX XX XX C7 43 ZZ [<80] XX XX XX XX mov dword ptr [ebx+50h], offset _FsdSetInformation@8 C7 83 ZZ[>=80] XX XX XX XX |
1.4 Interrupt Hook
For an example, a key logger root kit hook keyboard interrupts. Many powerful root kits to make themselves more useful use interrupts hook. It is hard to find out an interrupt hook on the range out of KiTrapXX's range (910920 put a way to read KiTrapXX’s Address from file...), and also hard to recover. But there is a will there is a way... (I do not know how to get a real address of an ISR which is not set by ntos kernel. But keyboard driver can tell me the real keyboard interrupt, it is hardcode searching...not good way)
1.5 NDIS Open Block Hook
A powerful root kit must support network in kernel mode. For this target, it may use TDI or NDIS,but TDI is easy to find or be defeated by anti-spy, so NDIS may be a good choice. Some root kit use IpFltDrv to reuse sock and do its own network,however, it is not nice ,many anti-spy can find the IpFltDrv changing, and IpFltDrv can only register one, it would be registered by others. As far as I see, the root kit uty_rk@winXp use protocols open block hooks to own the network. But actually it would crash when it were running with some anti-spy. So there is another way on Miniport layer,it is to hook NDISWAN Miniport Open Block, but there is a problem in how to get the list of NDIS miniport , see the NDIS IM Driver register course ,we know NdisIMRegisterLayeredMiniport can return a verb which is the a pointer to the list. And we can just register a fake IM to get the list pointer and then we could hook them just like hook protocol open blocks. To find this kind of hook must using hardcode search to find some VA from ndis.sys and tcpip.sys and ndiswan.sys.
1.6 Non-exported Inline Hook
Anti-spy may use inline hook to hook some important non-exported kernel mode calls and makes root kit difficult to do its work. And root kit can also use inline hook to bypass some checks. To find or recover an inline hook must use remap files and redo relocations, then compare the mappings and memory just like SVV. The recover of an inline hook might turn to a BSOD in the end.
2. Kernel Network: TDI and NDIS,Blue or Goal
Every useful root kit must support networking with kernel socket.
2.1 TDI
Most of free versions of root kit are using TDI Client Technology to make a kernel socket. But with the time changing, it is not useful today.
2.2 NDIS
hug_ntrootkit4.0@winNt/2k used registering NDIS Protocol to do its networking; uty_rk@winXp used NDIS Protocol Open Block Hooks to do the same thing. EVA_rk@winNt (no public version) used NDIS Miniport Open Block Hooks, and iceberg wrote a full-version tcp sock based on NDIS Miniport Open Block Hooks. But in my project bdrk and winss (no public version and still in construction), NDIS Miniport Open Block Hooks sit many blue screens…
3. KDOM: Fast to Die or A Good Way ?
Fu_rk@winNT brings a new way to hide process and get privileges and do some things only by modifying some structures in system memory.
Every coin has two faces, KDOM can do nearly every things but the target which will be modified is hard to get the right positions. And hardcode the offset or address may cause the system crashed. To find the KDOM modified is easy, only to use another link list or another database head…
4. Final
I am Chinese, and my English is very poor.
Contact me:
扫一扫
209
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
